O365 Security Administration
You have a MS365 subscription. From the MS365 Admin Center, you create a new users. You plan to assign the Reports reader role to the user. You need to view the permissions of the Reports reader role. Which Admin Center should you use?
ANSWER: Azure Active Directory
Lab: You need to ensure Sharepoint [email protected] receives an alert when a user establishes a sync relationship to a doc library from a computer that is a member of an AD domain.
1. Navigate to Manage Alerts in the Security & Compliance Center 2. On Activity Alerts page, click +New - The flyout page to create an activity alert is displayed 3. Complete the following fields to create an activity alert: a. Name: type name for alert; unique name within org b. Description (optional): describe alert i.e., activities & users being tracked, users that email notifications are sent to so other admins know purpose. c. Alert type: make sure Custom option selected d. Send this alert when: Click this and configure 2 field: - Activities: select 1 or more activities to alert on - Users: Select 1 or more users to alert on e. Send this alert to: Click this and click Recipients box 4. Click SAVE Verify status of alert is set to ON
LAB SIMULATION: You need to ensure that all links to malware.contoso.com within docs stored in MS Office 365 are blocked when the docs are accessed from O365 ProPlus applications.
ANSWER: 1. Sign in to MS365 Admin Center > Threat Mgmt > Policy > Safe Links 2. In 'Poicies that apply to the entire organization, click DEFAULT, choose EDIT 3. In 'Block the following URLs' section, add malware.contoso.com link. 4. In 'Settings that apply to content except email' section, select all options 5. SAVE https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-atp-safe-links-policies?view=o365-worldwide
Your company has a main ofc and a MS365 subscription. You need to enforce MS Azure MFA by using conditional access for all users who are NOT physically present in the ofc. What should you include in the configuration?
ANSWER: A named location in Azure Active Directory.
You have a MS365 subscription. A customer requests you provide her with all docs that reference her by name. You need to provide the customer with a copy of the content. Which 4 actions should perform in sequence?
ANSWER: 1. Create a Data Subject Request (DSR) case 2. View the results. 3. Save the search. 4. Export the results.
You have a MS365 subscription. You create and run a content search from the Security & Compliance admin center. You need to download the results of the content search. What should you obtain first?
ANSWER: An export key
An Admin configured Azure AD Privileged Identity Management as shown in exhibit: Security Requirement: Two new user admins named Admin1 and Admin2 will be responsible for managing Microsoft Exchange Online only. What should you do to meet the security requirements?
ANSWER: Change the Assignment Type for Admin1 to Eligible.
SIMULATION: You need to ensure the administrators can publish a label that adds a footer to email messages and documents. To complete this task, sign in to the MS Office 365 portal.
ANSWER: Configure a Sensitivity Label: 1. Go to Security & Compliance Admin Center 2. To Classification>Sensitivity Labels 3. Click on Create a label 4. Give label name & desc 5. Leave Encryption option as NONE | click NEXT 6. On Content Marking, check 'Add a footer' 7. Click Customize Text link, add footer, click SAVE | NEXT 8. Leave 'Auto-labeling for Office apps' off | NEXT 9. Click SUBMIT 10. Ready for publishing, click DONE
You company has 500 computers. You plan to protect the computers by using MS Defender Advanced Threat Protection (Windows Defender ATP) Twenty of the computers belong to company executives. You need to recommend a remediation solution that meets the following requirements: - MS Defender ATP Administrators must manually approve all remediation for the executives. - Remediation must occur automatically fo all other users What should you recommend doing from MS Defender Security Center?
ANSWER: Create two machine groups.
HOTSPOT OVERVIEW: Contoso You are evaluating which devices are compliant in Endpoint Manager. For each of the following statements, select YES if the statement is true. Otherwise, select NO.
ANSWER: Device 2 compliant: Y Device 5 complaint: N Device 6 compliant: Y
SIMULATION LAB: You need to ensure that mail messages in Exchange Online and docs in SharePoint Online are retained for 8 years. Log in to MS Office 365 Admin Center
ANSWER: For our purposes, retention will be 8 years. For retaining email messages in Exchange Online: Step 1: Create a retention tag. 1. Navigate to the Exchange Admin Center 2. Navigate to Compliance Mgmt>Retention Tags, and then click Add+ 3. Select one of following items: - Applied automatically to entire mailbox (def): this option creates a default policy tag (DPT) & a default archive policy to apply to all mailbox items - Applied auto to specified folder - Applied by users to items & folders 4. The 'New retention tag' title and options will vary depending upon which option you chose Complete teh fields Step 2: Create a retention policy 1. Nav to Compliance management>Retention policies, click Add+ 2. Complete fields and click Add+ for tags A retention policy can contain following tags: - One DPT with Move to Archive action - One DPT with Delete & Allow Recovery or Permanently Delete actions - One DPT for voice msgs with the Delete & Allow Recovery or Permanently Delete actions - Any number of personal tags Step 3: Apply retention policy to mailbox users 1. Nav to Recipients>Mailboxes 2. In list view, use SHIFT or CTRL keys to select multiple mailboxes 3. In details pane, click 'More options' 4. Under 'Retention Policy', click 'Update' 5. In 'Bulk Assign Retention Policy', select retention policy you want to apply to the mailboxes, click SAVE. Access Security & Compliance Admin Center 1. Nav to O365 Admin Centers 2. Click Security & Compliance Create and publish a Retention Policy on a SharePoint Site. Go to Data Governance>Retention 1. Click Create to create new Retention Policy 2. Name policy>NEXT 3. Configure settings>NEXT 4. Apply to SharePoint sites 5. Apply to single O365 group site 6. Review & confirm to create policy
You have a MS365 subscription. Yesterday, you created retention labels and published the labels to MS Exchange Online mailboxes. You need to ensure that the labels will be available for manual assignment as soon as possible. What should you do?
ANSWER: From Exchange Online PowerShell, run Start-ManagedFolderAssistant
You have a MS365 subscription. You have a team named Team1 in MS Teams. You plan to place all content in Team1 on hold. You need to identify which mailbox and which MS SharePoint site collection are associated to Team1. Which cmdlet should you use?
ANSWER: Get-UnifiedGroup
HOTSPOT: You configure MS Azure AD Connect as shown in following exhibit. Image: Microsoft Azure Active Directory Connect with Synchronized Directories Directory: Adatum.com Account: Adatum.com\MS0L_9c71dba7d1b9
ANSWER: If you reset a password in Auzre AD of a synced user, the password will: be OVERWRITTEN If you join a computer to Azure AD,: an object will be provisioned in the RegisteredDevices container
You have a MS365 subscription that contains the users shown in the following table. User Role ------ ------ User1 Compliance Mgr Contributor User2 Compliance Mgr Assessor User3 Compliance Mgr Admin User4 Portal Admin You discover that all users in the subscription can access Compliance Manager reports. The Compliance Manager Reader role is not assigned to any users. You need to recommend a solution to prevent a user named User5 from accessing the the Compliance Manager reports. Solution: You recommend removing User1 from the Compliance Manager Contributor role. Does this meet the goal?
ANSWER: NO
You have a MS365 subscription. You have a user naed User1. Several users have full access to the mailbox of User1. Some email messages sent to User1 appear to have been read and deleted before the user viewed them. When you search the audit log in Security & Compliance, to identify who signed in to the mailbox of User1, the results are blank. You run the Set-AuditConfig -Workload Exchange command. Does that meet the goal?
ANSWER: NO
You have a MS365 E5 subscription. You implement Advanced Threat Protection (ATP) safe attachments policies for all users. User reports that email messages containing attachments take longer than expected to be received. You need to reduce the amount of time it takes to receive email messages that contain attachments. The solution must ensure that all attachments are scanned for malware. Attachments that have malware must be blocked. What should you do from ATP?
ANSWER: Set the action to Dynamic Delivery https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/dynamic-delivery-and-previewing?view=o365-worldwide
You have a MS365 subscription. All computers run Windows 10 Enterprise and are managed by using MS Endpoint Manager. You plan to view only security-related Windows telemetry data. You need to ensure that only Windows security data is sent to MS. What should you create from the Intune Admin Center.
ANSWER: A device configuration profile that has device restrictions configured. https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#reporting-and-telemetry
Your company has a MS365 subscription that contains the users shown in the following table. Name Member Of ------- ------------- User1 Group1 User2 Group2 User3 Group3 The company implements MS Defender ATP and includes roles shown in following table: Name, Permission, Assigned User Group -------------------------------------------- Role1, View data/Active Remediation/Alerts investigation, Group1 Role2, View data/Active Remediation,Group2 MS Defender ATP Admin(default),All,Group3 MS Defender ATP contains the machine groups shown in the following table. Rank,MachineGroup,Machine,UserAccess ---------------------------------------------- First, ATPGroup1, Device1, Group1 Las, Ungrouped machines (def),Device2,Group2 For each of the following statements, select YES if true, otherwise, select NO
ANSWER: User1 can run an antivirus scan on Device1: YES User2 can collect an investigation package from Device2: NO User3 can isolate Device1: NO
HOTSPOT: You have an Azure AD tenant named contoso.com that contains the users shown in the following table. Name Member of ------- ------------- User1 Group1 User2 Group2 You register devices in contoso.com as shown in following table. Name,Platform, Member of, MS Intune Managed -------------------- Device1, Win10, GroupA, Yes Device2, iOS, GroupB, No You create app protection policies in Intune as shown in the following table. Name,Platform,Mgmt State,Assigned ---------------------------- Policy1,Win10,W/Enrollment,Group1 Policy2,Win10,W/Enrollment,Group2 Policy3,iOS,Apps on Intune Managed Devices,GroupA Policy4,iOS,Apps on Intune Managed Devices,GroupB For each statement, YES if true, otherwise, NO
ANSWER: When User1 uses Device1, Policy3 applies: NO When User2 uses Device1, Policy2 applies: YES When User2 uses Device2, Policy4 applies: NO* *GroupB is not MS Intune Managed, so Policy4 would not apply
You have a MS365 subscription that uses a default domain name of fabrikam.com. You create a safelinks policy, as shown in following exhibit. When users click a blocked URL, they're redirected to a web page that explains why the URL is blocked. Block following URLs: *.phishing.*.* malware.*com *.contoso.com Which URL can a user safely access form MS Word Online?
ANSWER: www.malware.fabrikam.com
You need to prevent any email messages that contain data covered by the UK Data Protection Act from being sent to recipients outside of your org, unless the messages are sent to an external domain named adatum.com. To complete this task, sign in to MS365 admin center.
ANSWER: 1. After signing into MS365 Admin Center, navigate to Compliance Mgmt in Exchange Admin Center. 2. Click on 'Data Loss Prevention' option 3. Add new custom DLP policy. Click on + (plus) button to get context menu. 4. Click 'New Custom DLP policy' option, enter policy name, desc, state, and mode of reqmt dets. Click SAVE. 5. On DLP screen, double-click on the added row to open policy dets, click rules option in left side of screen 7. Click (+) button to add new rule. Select 'Block messages with sensitive info' rule 8. Add condition, action, exceptions, rule activation and deactivation dates 9. Click 'Select Sensitive Info Types' 10. Click (+), add following Sensitive Info types: - UK National Ins Number(NINO) - US/UK Passport No. - SWIFT Code 11. Click OK 12. Add exception for recipients in adatum.com domain 13. Add recipients for incident reports, click OK 14. Click SAVE 2 times https://events.collab365.community/configure-data-loss-prevention-policies-in-exchange-online-in-office-365/
You need to create an eDiscovery case that places a hold on the mailbox of a user named Allan Deyoung. The hold must retain email messages that have a subject containing the word 'merger' or the word 'Contoso'. To complete this task, sign in to the MS365 admin center.
ANSWER: 1. Navigate to eDiscovery in the Security & Compliance Center, and then click 'Create a case.' 2. On the New Case page, give the case a name, type an optional description, and then click SAVE. The case name must be unique in your organization. The new case is displayed in list of cases on eDiscovery page. You can hover cursor over a case name to display info about case, including the status of the case (Active or Closed), the description of the case (that was created in the previous step), when case was changed, and who changed it. To create a hold for an eDiscovery case: 1. In Sec & Compliance Center, click eDiscovery>eDiscovery to display the list of cases in your org. 2. Click OPEN next to case that you want to create the holds in. 3. On HOME page for case, click HOLD tab. 4. On HOLD page, click CREATE 5. On NAME YOUR HOLD PAGE, enter a name. Name of hold must be unique in your org. 6. (Optional) in the DESCRIPTION box, add a desc of hold) 7. Click NEXT 8. Choose content locations you want to place on hold. You can place mailboxes, sites, and public folders on hold. Exchange email-Click 'Choose users, groups, or teams', then click 'Choose users, groups, or teams' again, to specify mailboxes to place on hold. Use search box to find user mailboxes & distrib groups (to place a hold on mailboxes of group members) to place on hold. You can also hold associated mailbox for a MS Team, Yammer Grp, O365 Group. Select the user, group, team check box, click 'Choose', click DONE. Note When you click 'Choose users, groups, or teams' specify mailboxes to place on hold, the mailbox picker that's displayed is empty. this is by design to enhance performance. To add people to this list, type a name (a minimum of 3 chars) in search. 9. After configuring query-based hold, click NEXT 10. Review your settings, and then click 'Create this hold'. https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-core-ediscovery?view=o365-worldwide#step-4-place-content-locations-on-hold
SIMULATION: You need to ensure that a user named Allan Deyoung uses multi-factor auth (MFA) for all auth requests. To complete this task, sign in to the MS365 admin center.
ANSWER: 1. Open the Admin Center and go to User > Active Users 2. Open MFA 3. Don't select any user yet, just open the MFA screen. You will find the button in the toolbar. 4. Setup MFA O365 A few settings are important here: - Make sure you check APP password. Otherwise, users cannot authenticate in some apps (like default mail app in Android). - Also, take a look a remember function. Default is set to 14 days. https://lazyadmin.nl/office-365/how-to-setup-mfa-in-office-365/
LAB SIMULATION: You need to ensure that each user can join up to 5 devices to Azure AD. Sign in to MS365 Admin Center
ANSWER: 1. Sign in to MS365 Admin Center, click Admin Centers>Azure Active Dir>Devices 2. Device Settings 3. Set 'Users may join devices to Azure AD' setting to ALL 4. Set 'Additional local admins on Azure AD joined devices' setting to NONE 5. Set 'Users may register their devices with Azure AD' setting to ALL 6. Leave 'Require MFA to join devices' setting on default 7. Set 'Maximum number of devices' to 5 8. Set 'Users may sync settings and app data across devices' to ALL 9. Click SAVE https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
You have a MS365 subscription. You need to ensure that users can manually designate which content will be subject to data loss prevention (DLP) policies. What should you create first?
ANSWER: A Data Subject Request (DSR) https://docs.microsoft.com/en-us/microsoft-365/compliance/manage-gdpr-data-subject-requests-with-the-dsr-case-tool?view=o365-worldwide#more-information-about-using-the-dsr-case-tool
Overview: Contoso Ltd. is a consulting company that has a main ofc in Montreal and 2 branch ofcs in Seattle and NY. You need to meet the technical reqmts of User9: Ensure that User9 can enable and configure Azure AD Privileged Identity Mgmt. What should you do?
ANSWER: Assign the Global Administrator role to User9.
Your network contains an on-premises AD domain. The domain contains servers that run Windows Server and have advanced auditing enabled The security logs of the servers are collected by using a third-party SIEM solution. You purchase a MS365 subscription and plan to deploy Azure Advanced Threat Protection (ATP) by using standalone sensors. You need to ensure that you can detect when sensitive groups are modified and when malicious services are created. What should you do?
ANSWER: Configure Event Forwarding on the domain controllers. https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-event-forwarding
You have a hybrid MS365 environment. All computers run Win10 Enterprise and have MS Office 365 ProPlus installed All the computers are joined to AD. You have a server named Server1 that runs WinServer 2016. Server1 hosts the telemetry database. You need to prevent private details in the telemetry data from being transmitted to Microsoft. What should you do?
ANSWER: Configure a registry entry on the computers.
Your network contains an on-premises AD domain. The domain contains the servers shown in the following table: Name Configuration -------- ---------------- DC1 Domain Controller Server Member Server You plan to implement Azure ATP for the domain. You install an Azure ATP standlone sensor on Server1. You need to monitor the domain by using Azure ATP. What should you do?
ANSWER: Configure port mirroring for DC1 https://docs.microsoft.com/en-us/azure-advanced-threat-protection/configure-port-mirroring
SIMULATION - To complete task, sign into MS O365 portal. You plan to publish a label that will retain documents in MS OneDrive for two years, and then automatically delete the documents. You need to create the label.
ANSWER: Create a retention label. 1. Go to Security & Compliance Center 2. Nav to Classification > Retention Labels 3. Click on +Create a new label 4. Give label a name, click NEXT 5. On the File plan descriptors, leave all options empty. The options in this page are used for auto-applying the retention label. click NEXT. 6. Turn the Retention swich to ON 7. Under Retain the Content, set the period to 2 years 8. Under What do you want to do after this time?, select 'Delete the content automatically' option 9. Click NEXT 10. Click 'Create this label'. Label is ready to publish in MS OneDrive
You have a MS365 E5 subscription and a hybrid MS Exchange Server organization. Each member of a group named Executive has an on-premises mailbox. Only the Executive Group members have MFA enabled. Each member of a group named Research has a mailbox in Exchange Online. You need to use MS O365 Attack Simulator to model a spear-phishing attack that targets the Research group members. The email addresses you intend to spoof belong to the Executive group members. What should you do first?
ANSWER: Enable MFA for the Research group members
LAB SIMULATION: You need to ensure a user named Alex Wilber can register for MFA.
ANSWER: Enable Modern Auth for your organization. 1. Admin Center>Settings>Settings>Services Tab>Modern Authentication from list 2. Check 'Enable modern auth' box in Modern Auth panel. Enable MFA for org: 1. Admin Center>Users>Active Users 2. In Active Users, click MFA 3. On MFA page, select user if you are enabling for one user, or select Bulk Update to enable multiple users. 4. Click on Enable under Quick Steps. 5. In the Pop-up window, click 'Enable MFA' https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
You have a MS365 subscription that contains several Windows 10 devices. The devices are managed by using Microsoft Intune. You need to enable Windows Defender Exploit Guard (Windows Defender EG) on the devices. Which type of device configuration profile should you use?
ANSWER: Endpoint protection
HOTSPOT OVERVIEW: Fabrikam You plan to configure an access review to meet the security requirements for the workload admins. You create an access review policy and specify the scope and a group. Which other settings should you configure?
ANSWER: Frequency: - Weekly To ensure access is removed if an admin fails to respond, configure the: - Upon completion settings
You recently created and published several label policies in a MS365 subscription. You need to view which labels were applied by users manually and which labels were applied automatically. What should you do from the Security & Compliance Admin Center.
ANSWER: From Data governance, select Events
You have a hybrid MS365 environment. All computers run Win10 and are managed by MS Intune. You need to create a MS Azure AD conditional access policy that will allow only Win10 computers marked as compliant to establish a VPN connection to the on-premises network. What should you do first?
ANSWER: From the Azure AD admin center, create a new certificate. https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/ad-ca-vpn-connectivity-windows10
You have a MS 365 subscription that includes user named Admin1. You need to ensure that Admin1 can retain all mailbox content of users, including deleted items. Solution must use principle of least privilege. What should you do?
ANSWER: From the MS Admin Center, assign the Exchange Admin role to Admin1.
You have a M365 E5 subscription. A security manager receives an email message every time a data loss prevention (DLP) policy match occurs. You need to limit alert notifications to actionable DLP events. What should you do?
ANSWER: From the Security & Compliance admin center, modify the matched activities threshold of an alert policy. https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide
You have a MS365 E5 subscription. You need to ensure that users who are assigned the Exchange admin role have time-limited permissions and must use MFA to request the permissions. What should you use to achieve the goal?
ANSWER: MS Azure AD Privileged Identity Mgmt
You have a MS365 E5 subscription that is associated to a MS Azure AD tenant named Contoso.com You use AD Federation Services to federate on-premises AD and the tenant. Azure AD Connect has the following settings: Source Anchor: objectGUID Password Hash Synch: Disabled Password Writeback: Disabled Directory Extension attirbute sync: Disabled Azure AD app and attribute filtering: Disabled Exchange hybrid deployment: Disabled User writeback: Disabled You need to ensure that you can use leaked credentials detection in Azure AD Identity Protection. Solution: You modify the Azure AD app and attribute filtering settings. Does this meet the goal?
ANSWER: NO
You have a MS365 subscription that contains 1,000 user mailboxes. An admin named Admin1 must be able to search for the name of a competing company in the mailbox of a user named User1. You need to ensure that Admin1 can search the mailbox User5 successfully. The solution must prevent Admin1 from sending email messages as User5. Solution: You modify the privacy profile, and then create a Data Subject Request (DSR) case. Does this meet the goal?
ANSWER: No
You have a MS365 subscription that contains the users shown in the following table. Name Role ------- ------------- User1 Complaince Mgr Contribtr User2 Compliance Mgr Assessor User3 Compliance Mgr Admin User4 Portal Admin You discover that all the users in the subscription can access Compliance Mgr reports. The Compliance Manager Reader role is not assigned to any users. You need to recommend a solution to prevent a user named User5 from accessing the Compliance Manager reports. Solution: you recommend assigning the Compliance Manager Reader role to User5. Does this meet the goal?
ANSWER: No https://docs.microsoft.com/en-us/microsoft-365/compliance/working-with-compliance-manager?view=o365-worldwide
You have a MS365 subscription. You have a user named User1. Several users have full access to the mailbox of User1. Some email messages sent to User1 appear to have been read and deleted before the user viewed them. When you search the audit log in Security & Compliance to identify who signed in to the mailbox of User1, the results are blank. You need to ensure that you can view future sign-ins to the mailbox of User1. You run the Set-MailboxFolderPermissions -Identity "User1" -User [email protected] -AccessRights Owner command. Does that meet the goal?
ANSWER: No https://docs.microsoft.com/en-us/powershell/module/exchange/set-mailbox?view=exchange-ps
HOTSPOT Overview (Fabrikam): You install Azure ATP sensors on domain controllers. You add a member to the Domain Admins group. You view the timeline in Azure ATP and discover that information regarding the membership change is missing. You need to meet the security requirements for Azure ATP reporting. What should you configure? To answer, select appropro options in answer area.
ANSWER: Policy to edit: Default Domain Controllers Policy Audit Setting to configure: Audit Security Group Management
You have a MS365 subscription. You have a MS SharePoint Online site named Site1. The files in Site1 are protected by using MS Azure Information Protection. From the Security & Compliance admin center, you create a label that designates personal data. You need to auto-apply the new label to all the content in Site1. What should you do first?
ANSWER: Remove Azure Information Protection from the Site1 files.
You have a MS365 subscription. You need to enable auditing for all MS Exchange Online users. What should you do?
ANSWER: Run the Set-Mailbox cmdlet
You have a MS365 subscription. You enable auditing for the subscription. You plan to provide a user named Auditor with the ability to review audit logs. Several days later, you discover that Auditor disabled auditing. You remove Auditor from the Global administrator role group and enable auditing. You need to modify Auditor to meet the following requirements: - Be prevented from disabling auditing - Use the principle of least privilege - Be able to review the audit log To which role group should you add Auditor?
ANSWER: Security operator https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-worldwide
OVERVIEW: Contoso Ltd. Technical Requirements: User6, Member, London, Customer LockBox Access Approver Need to ensure that User6 approves Customer Lockbox requests as quickly as possible. What should User6 use to meet the technical requirements?
ANSWER: Service requests in the MS365 Admin Center.
SIMULATION: login to lab CTRL+K to reload portal in new browser if MS 365 portal does not load. Objective: You need to create a case that prevents members of a group named Operations from deleting mail messages that contain the word IPO.
ANSWER: Sign in to MS Office 365 Admin Center. 1. Security & Compliance Center 2. Click eDiscovery>eDiscovery and 'Create a case' 3. On New Case page, enter case name, optional description, SAVE. 4. Add members to the case by clicking the case you want to add members to 5. Enter names of members 6. Click ADD, then SAVE A hold or holds can be created by editing a case and clicking the HOLD tab and naming your HOLD. You can place mailboxes, sites, and public folders on hold. After configuring the hold, click NEXT and CREATE THIS HOLD. https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-core-ediscovery?view=o365-worldwide
OVERVIEW: Fabrikam You need to recommend a solution for the user admins that meets the security requirements for auditing. -User admins will work from diff countries -User admins will use Azure AD admin center - 2 new admins named Admin1 and Admin2 will be responsible for managing MS Exchange Online only Which blade should you recommend using from the Azure AD admin center?
ANSWER: Sign-ins *clue is in OVERVIEW; "The location of the user admins must be audited when the admins authenticate to Azure AD."
You have a MS365 subscription. You create a supervision policy named Policy1, and you designate a user named User1 as the reviewer. What should User1 use to view supervised communications?
ANSWER: The Security & Compliance Admin Center https://docs.microsoft.com/en-us/microsoft-365/compliance/supervision-policies?view=o365-worldwide
You create a DLP policy as shown in the following exhibit (New DLP policy) What is the effect of the policy when a user attempts to send an email message that contains sensitive information?
ANSWER: The user receives a notification and can send the email message.
HOTSPOT: Overview, Contoso Ltd. You are evaluating which finance dept. users will be prompted for Azure MFA credentials. For each of the following statements, select YES if statement is TRUE. Otherwise, select NO.
ANSWERS: A finance dept user who has an IP address from Montreal ofc will be prompted for MFA credentials: NO A finance dept. user who works from home and who has an IP address of 193.77.140.140 will be prompted for Azure MFA credentials: YES A finance dept user who has an IP address from the NY office will be prompted for MFA credentials: YES
SIMULATION: You need to ensure that a global administrator is notified when a document that contains U.S. Health Insurance Portability & Accountability Act (HIPAA) data is identified in your MS 365 tenant.
ANSWER: To complete this task, sign in to the MS Office 365 admin center. 1. In the Security & Compliance Center > left navigation > Data loss prevention > Policy > Create a policy. 2. Choose the US Health Insurance Portability and Accountability Act (HIPAA) template > Next 3. Name the policy > Next 4. Choose 'All locations in Office 365 > Next 5. At the first 'Policy Settings' step just accept the defaults 6. After clicking NEXT, you'll be presented with an additional 'Policy Settings' page. - Deselect the 'Show policy tips to users and send them an email notification' option - Select the 'Detect when content that's being shared contains' option, and decrease the number of instances to 1. - Selec the 'Send incident reports in email' option. 7. > NEXT 8. Select the option to turn on the policy right away > NEXT 9. Click CREATE to finish creating the policy. https://docs.microsoft.com/en-us/microsoft-365/compliance/create-test-tune-dlp-policy?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/compliance/what-the-dlp-policy-templates-include?view=o365-worldwide
Overview: Contoso Ltd Which user passwords will User2 be prevented from resetting?
ANSWER: User4 only
You have an on-premises AD domain named contoso.com. You install and run Azure AD Connect on a server named Server1 that runs Windows Server. You need to view Azure AD Connect events. You use the Application Event Log on Server1. Does that meet the goal?
ANSWER: Yes https://support.pingidentity.com/s/article/PingOne-How-to-troubleshoot-an-AD-Connect-Instance
SIMULATION: You need to ensure all users much change their passwords every 100 days. To complete task, sign into MS365 portal.
ANSWER: You need to configure the Password Expiration Policy 1. Sign in to MS365 Admin Center 2. In left nav pane, expand SETTINGS, select SETTINGS 3. Click on Security and Privacy 4. Select Password Expiration Policy 5. Ensure checkbox labeled 'Set user passwords to expire after a number of days' is checked 6. Enter 100 in 'days before passwords expire field' 7. Click 'Save changes'
SIMULATION: You discover that MS SharePoint content is shared with users from multiple domains You need to allow sharing invitations to be sent only to users in an email domain named contoso.com. To complete this task, sign in to the MS365 portal.
ANSWER: You need to configure the Sharing options in the SharePoint Admin Center. 1. Go to SharePoint Admin center 2. Navigate to Policies>Sharing 3. In the External Sharing section, click on 'More external sharing settings' 4. Click 'Limit external sharing by domain' checkbox 5. Click 'Add domains' 6. Select the 'Allow only specific domains' option and type in the domain contoso.com. 7. Click 'SAVE'
SIMULATION: You need to configure your organization to automatically quarantine all phishing email messages.
ANSWER: You need to edit the Anti-Phishing policy. 1. Go to Office 365 Security & Compliance Admin Center 2. Navigate to Threat Mgmt>Policy>ATP Anti-Phishing 3. Click Default Policy 4. In Impersonation section, click EDIT 5. Go to Actions section 6. In the 'If email is sent by an impersonated user:' box, select 'Quarantine the message' from drop-down 7. In the 'If email is sent by an impersonated domain:' box, select 'Quarantine the message' from the drop-down 8. Click SAVE 9. Click CLOSE
You need to recommend a solution to protect the sign-ins of Admin1 and Admin2. What should you include in the recommendations?
ANSWER: https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-configure-risk-policies A user risk policy
You have a MS365 subscription. A user reports that changes were made to several files in MS OneDrive. You need to identify which files were modified by which users in the user's OneDrive. What should you do?
ANSWER: https://docs.microsoft.com/en-us/cloud-app-security/activity-filters From MS Cloud App Security, open the activity log.
You have a MS365 Enterprise E5 subscription. You see MS Defender Advanced Threat Protection (MS Defender ATP). You plan to use MS365 Attack Simulator. What is a prerequisite for running Attack simulator?
ANSWER: Enable MFA
You have a MS365 E5 subscription. Some users are required to use an authenticator app to access MS SharePoint Online. You need to view which usrs have used an authenticator app to access SharePoint Online. The solution must minimize costs. What should you do?
ANSWER: From the Azure AD admin center, view the sign-ins.
You have a MS365 subscription. Some users access MS SharePoint Online from unmanaged devices. You need to prevent the users from downloading, printing, and syncing files. What should you do?
ANSWER: Run the Set-SPOTenant cmdlet and specify the -ConditionalAccessPolicy parameter.
You have a MS365 subscription that contains 1,000 user mailboxes. An administrator named Admin1 must be able to search for the name of a competing company in the mailbox of a user named User5. You need to ensure that Admin1 can search the mailbox of User5 successfully. The solution must prevent Admin1 from sending email messages as User5. Solution: You start a message trace, and then create a Data Subject Request (DSR) case. Does this meet the goal?
ANSWER: No
HOTSPOT: OVERVIEW Litware, Inc. How should you configure Azure AD Connect?
ANSWER: User sign-in settings: Pass-through authentication with single sign-on Device options: Hybrid Azure AD Join
You have a MS365 tenant. You create a label named CompanyConfidential in MS Azure Information Protection. You add CompanyConfidential to a global policy. A user protects an email message by using CompanyConfidential and sends the label to several external recipients who now report they cannot open the email message. You need to ensure that external recipients can open protected email messages sent to them. You modify the encryption settings of the label. Does that meet the goal?
ANSWER: NO
DRAG DROP: You have a MS365 subscription that uses an Azure AD tenant named contoso.com. All the devices in the tenant are managed by using MS Endpoint Manager. You purchase a cloud app named App1 that supports session controls. You need to ensure that access to App1 can be reviewed in real time. Which 3 actions should you perform in sequence? To answer, move the
ANSWERS: 1. From the Azure AD Admin Center, register App1 2. From the Azure AD Admin Center, create a conditional access policy. 3. From the Cloud App Security Admin Center, create an access policy.
You have a MS365 subscription that includes 3 users named User1, User2, and User3. A file named File1.docx is stored in MS OneDrive. An automated process updates File1.docx every minute. You create an alert policy named Policy1 as shown in the following exhibit.
ANSWERS: If User1 runs a scheduled task that copies File1.docx to a local folder every 5 mins.: Policy 1 will be triggered after 60 mins. If User1, User2, and User3 each run a scheduled task taht copies File1.docx to a local folder every 10 mins.: Policy 1 will be triggered after 60 mins.
HOTSPOT: You have a MS365 subcription. You are creating a retention policy named Retention1 as shown in the following exhibit. (click Exhibit tab) Yes, I want to retain it for 2 years based on when it was last modified. Yes, delete it after this time. You apply Retention1 to SharePoint sites and OneDrive accounts. Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
ANSWERS: If a user creates a file in a MS SharePoint library on January 1, 2019, and modifies the file every six months, the file will be: RETAINED If a user creates a file in a MS OneDrive on January 1, 2019, modifes the file on March 1, 2019, and deletes the file on May 1, 2019, the user: CAN RECOVER THE FILE UNTIL MARCH 1, 2021
HOTSPOT: Your network contains an Active Directory domain contoso.com. The domain contains a VPN server named VPN1 that runs Windows Server 2016 and has the Remote Access server role installed. You have a MS Azure subscription. You are deploying Azure Advanced Threat Protection (ATP). You install an Azure ATP standalone sensor on a server named Server1 that runs Windows Server 2016. You need to integrate the VPN and Azure ATP. What should you do? To answer, select appropro options in answer area.
ANSWERS: On VPN1: Configure an accounting provider. On Server1, enable the following inbound port: 1813
Your network contains on-premises Active Directory domain named contoso.com. The domain contains the groups in the following table. Name/Type/Email address ------------------------------ Group1 / Security Group-Domain Local/ [email protected] Group2 / Security Group-Universal/None Group3 / Distribution Group-Global/None Group4 / Distribution Group-Universal/[email protected] The domain is synced to a MS Azure AD tenant that contains the groups shown in the following table. Name/Type/Membership type ---------------------------------- Group11/Security group/Assigned Group12/Security group/Dynamic Group13/Office 365/Assigned Group14/Mail-enabled sec grp/Assigned You create an Azure Information Protection policy named Policy1. You need to apply Policy1. To which groups can you apply Policy1? To answer, select appropro options in answer area.
ANSWERS: On-Premises Active Directory groups: Group1 and Group4 only Azure AD groups: Group13 and Group14 only
HOTSPOT: You have a MS365 subscription. You identify the following data loss prevention (DLP) requirements: - Send notifications to users if they attempt to send attachments that contain EU social security numbers - Prevent any email essages taht contain credit card numbers from being sent outside your organization - Block the external sharing of MS OneDrive content that contains EU passport numbers - Send admins email alerts if any rule matches occur. What is the minimum number of DLP policies and rules you must create to meet the requirements?
ANSWERS: Policies: 3 Rules: 3
HOSTPOT: You view Compliance Manager as shown in following exhibit. GDPR Compliance: 306/626 Customer Managed Actions: 7/65 MS Managed actions: 49/49
ANSWERS: To increase the GDPR Compliance Score for MS365, you: Assign action items The current GDPR Compliance score: Proves that the organization is non-compliant
Overview: Litware Inc. Create a group named Group2 that will include all the Azure AD user accounts. Group2 will be used to provide limited access to Windows Analytics. You need to create Group2. What are two possible ways to create the group?
ANSWERS: - A security group in the MS365 admin center - A security group in the Azure AD admin center
HOTSPOT: You have a MS365 subscription that contains the users shown in the following table. Name Role ------- ----------- User1 Global Admin User2 Privileged Role Admin User3 Security Admin You implement Azure AD Privileged Identity Mgmt (PIM). From PIM, you review the Application Administrator role and discover the users shown in the following table. Name Assignment type ------- --------------------- UserA Permanent UserB Eligible UserC Eligible The Application Admin role is config'd to use the following settings in PIM: - Max activation duration: 1 hour - Notifications: Disable - Incident/Request ticket: Disable - MFA: Disable - Require approval: Enable - Selected approver: No results For each of the following statements, select YES if the statement is TRUE. Otherwise, select NO.
ANSWERS: - If UserB requests the App Admin role, User1 can approve the request of UserB: YES - If UserB requests the App Admin role, User2 can approve the request of UserB: YES - If UserC requests the App Admin role, User3 can approve the request of UserC: NO
You need to create Group3. Overview: Litware Create a group named Group3 that will be used to apply Azure Information Protection policies to pilot users. Group3 must only contain user accounts. What are two possible ways to create the group?
ANSWERS: 1. An O365 group in the MS365 admin center. 2. A distribution list in the MS365 admin center.
You have a MS365 subscription. You have a site collection named SiteCollection1 that contains a site named Site2. Site2 contains a doc library named Customers. Customers contains doc named Litware.docx. You need to remove Litware.docx permanently. Which three actions should perform in sequence?
ANSWERS: 1. Delete Litware.docx from Customers. 2. Delete Litware.docx from Recycle Bin of Site2 3. Delete Litware.docx from the Recycle Bin of SiteCollection1.
DRAG DROP: You have a MS365 E5 subscription. All computers run Win10 and are onboarded to MS Defender Advanced Threat Protection (MS Defender ATP). You create a MS Defender ATP machine group named MachineGroup1. You need to enable delegation for the security settings of the computers in MachineGroup1. Which three actions should you perform in sequence?
ANSWERS: 1. From the MS Azure portal, create an Azure AD group. 2. From MS Defender Security Center, create a role. 3. From MS Defender Security Center, config the permissions for MachineGroup1.
HOTSPOT: Your company has a MS365 subscription, and an Azure AD tenant named contoso.com. The company has the offices shown in following table: LOCATION/IP Addr Space/Pub NAT Montreal, 10.10.0.0/24, 190.15.1.0/24 Seattle, 172.16.0.0/16, 194.25.2.0/24 New York, 192.168.0.0/16, 198.35.3.0/24 Tentant contains users: User1, [email protected] User2, [email protected] You create MS Cloud App Security policy: Repeated activity by single user 30x in 1 minute for 10.10.0.0/24 OR 194.25.2.0/24 where activity=Download File where user from group=Application(Cloud App Security) as Actor Only. Alert using org's default settings with daily alert limit=5
ANSWERS: 1. In Montreal, if User1 downloads 40 files in 30 seconds, an alert will be created: YES 2. In Seattle, if User2 downloads 1 file/second for 2 minutes, an alert will be created: YES 3. In New York, if User1 downloads 40 files in 10 seconds an alert will be created: NO
HOTSPOT: You have a MS365 subscription that uses a deafult domain name of litwareinc.com. You configure the sharing settings in Microsoft OneDrive as shown in the following exhibit. Links Choose the kind of link that's selected by default when users share items. Default link type: Direct: Specific people External Sharing Users can share with: SharePoint OneDrive ------------ --------------- New & existing Existing external Your sharing setting for OneDrive can't be more permissive than your setting for SharePoint. *Advanced settings for external sharing = Allow only these domains: contoso.com, adnatum.com
ANSWERS: A user who has an email address of [email protected]: Cannot access OneDrive content If a new guest user is created for [email protected]: The user can access OneDrive content after a link is created.
Your company has a M365 subcription. The company does not permit users to enroll personal devices in mobile device mgmt (MDM). Users in the sales dept. have personal iOS devices. You need to ensure that the sales dept. users can use the MS Power BI app from iOS devices to access the Power BI data in your tenant. The users must be prevented from backing up the app's data to iCloud. What should you create?
ANSWERS: An app protection policy in Microsoft Endpoint Manager.
HOTSPOT: Overview Case Study Contoso Ltd. Which policies apply to which devices? To answer, select the appropro options in the answer area.
ANSWERS: DevicePolicy1 - Device1 and Device3 only DevicePolicy2 - Device4 only
You have a MS defender ATP deployment that has custom network indicators turned on. MS Defender ATP protects two computers that run Win10 as shown in table. Select Y or N for true or false statement
ANSWERS: From a web browser on: Computer1, you can open http://www.contoso.com = NO Computer1, you can open http://www.litwareinc.com/public = YES Computer2, you can open http://www.litwareinc.com = NO
You need to implement a solution to manage when select links in documents or email messages from MSOffice 365 ProPlus applications or Android devices. The solution must meet the following reqmts: - Block access to a domain named fabrikam.com - Store info when users select links to fabrikam.com
ANSWERS: Need to configure a Safe Links policy. 1. O365 Security & Compliance Admin Center. 2. Nav to Threat Management>Policy>Safe Links 3. In the 'Policies that apply to the entire organization' section, select 'Default', and click EDIT 4. In the 'Block the following URLs' section, type in *.fabrikam.com. This meets requirement 1. 5. In the 'Settings that apply to content except mail' section, unlock the checkbox labelled, 'Do not track when users click safe links'. This meets 2nd requirement. 6. Click SAVE https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-atp-safe-links-policies?view=o365-worldwide
DRAG DROP You have a MS 365 subscription. All users use MS Exchange Online. MS365 is configured to use the default policy without any custom rules. You manage message hygiene. Where are suspicious email messages placed by default? To answer, drag appropro location to correct message type. Each option may be once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content
ATP Quarantine: Messages that are classified as phishing. The Junk Email folder of a user's mailbox: Messages that contain word-filtered content The Focused Inbox experience in a user's mailbox: **NONE**
Several users in your MS 365 subscription report that they have received an email without the attachment. You need to review the attachments that were removed from the messages. Which two tools can you use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
Answers are: 1. The Exchange Admin Center 2. The Security & Compliance Admin Center
HOTSPOT Case Study: Litware Create a group named Group3 that will be used to apply Azure Information Protection policies to pilot users. Group3 must only contain user accounts. MFA testing requirements: Pilot users must use MFA unless they are signing in from the internal network of Chicago office. MFA must *NOT* be used on the Chicago office internal network. How should you configure Group3?
Answers: Group type: An Office 365 group in the MS 365 admin center Group Membership Criteria: A dynamic membership rule set to userType Equals Member
You have a MS 365 subscription. You create a retention policy and apply the policy to Exchange online mailboxes. You need to ensure that the retention policy tags can be assigned to mailbox items as soon as possible. What should you do?
From the Security & Compliance Admin Center, create a label policy.
You have a MS Azure AD tenant named contoso.com. Four Windows 10 devices are joined to the tenant as shown in the following table: BitLocker BitLocker Encryption Encryptn Has -protected -protectd Name TPM C drive D drive --------- ----- ------------ ------------ Device1 Yes Yes No Device2 Yes No Yes Device3 No Yes Yes Device4 No No No On which devices can you use BitLocker To Go and on which devices can you turn on auto-unlock? To answer, select the appropro answer in the answer area.
BitLocker To Go: Device1, Device2, Device3, and Device4 Auto-unlock: Device1 and Device3 only Because both have BitLocker Drive encryption on C
You have a MS 365 Enterprise E5 subscription. You use MS Defender Advanced Threat Protection (MS Defender ATP). You need to integrate MS Office 365 Threat Intelligence & MS Defender ATP. Where should you configure the integration?
From the Security & Compliance Admin Center, select THREAT MANAGEMENT, then select EXPLORER.
You have a MS Azure AD tenant named contoso.com that contains the users shown in the following table. Name Member of MFA Status ------- ------------- ------------- User1 Group1 Diabled User2 Group1, Group2 Enabled You create & enforce an Azure AD Identity Protection user risk policy that has following settings; - Assignments: Include Group1, Exclude Group2 - Conditions: Sign-in risk of Low & above - Access: Allow access, Require password change You need to identify how the policy affects User1 and User2 What occurs when User1 & User2 sign in from an unfamiliar location? To answer, select appropriate options in answer area.
Must change their password: Both User 1 and User2 Prompted for MFA: User 2 only
You have a MS 365 subscription that uses a default domain of contoso.com. MS Azure AD contains users in following table: Name Member of ------- --------------- User1 Group1 User2 Group1, Group2 User3 Group3 MS Endpoint Mgr has 2 devices enrolled as shown below: Name Platform ------- --------------- Device1 Android Device2 Windows 10 Both devices have 3 apps named App1, App2, App3 installed. You create an app protection policy named ProtectionPolicy1 with following settings: - Protected apps: App1 - Exempt apps: App2 - Windows Information Protection mode: Block
From Dev1, User1 can copy data from App1 to App3: NO From Dev2, User1 can copy data from App1 to App2: YES From Dev2, User1 can copy data from App1 to App3: YES
You need to recommend an email malware solution that meets security requirements. What should you include in the recommendation? To answer, select appropriate options in the answer area.
Policy to create: ATP safe attachments Option to configure: Replace
SIMULATION: Sign in to the MS365 Admin Center You need to create a retention policy that contains a data label. The policy must delete all MS Office 365 content that is older than 6 months.
STEPS: Creating Office 365 labels is a 2-step process. First step is to create label which includes name, description, retention policy, and classifying the content as a record. Once completed, 2nd step requires deployment of label using labeling policy which specifies the specific location to publish & applying label automatically. To create O365 label: 1. Open Security & Compliance Center 2. Click Classifications 3. Click Labels 4. Label will require configuration: name, description for admins, description for users 5. Click NEXT 6. Click Label Settings left-side menu 7. Retention=ON, 'When this label is applied to content', option 'Retain the content.' Choose length of retention and upon end of retention, action that will take place. The 3 actions are to delete the data, trigger an approval flow for review, or nothing can be actioned. The second option is to 'not retain the data after a specified amount of time' or based on age of data. 8. The label has now been created. To create label policy: 1. Open Security & Compliance Center 2. Click on Data Governance, Retention 3. Choose Label Policies box at top 4. Publish Labels or Auto-Apply labels
Lab: You need to ensure that group owners renew their Office 365 groups every 180 days.
Set group expiration. 1. Open Azure AD Admin Center with an account that is a global dmin in your Azure AD org. 2. Select Groups, then select Expiration to open expiration settings 3. On Expiration page, you can: - Set group lifetime in days. You could select a preset value, or custom value (should be 31 days or more) - Specify email address where renewal & expiration notifications should be sent when a group has no owner - Select which O365 groups expire. You can set expiration for: +All O365 groups +A list of selected O365 groups +None to restrict expiration for all groups - Click SAVE
You have a MS Azure AD tentant named contoso.com that contains the users shown in the following table: Name Member of MFA Status ------- -------------- ------------ User1 Group1,Group2 Disabled User2 Group1 Disabled You create & enorce an Azure AD Identity Protection sign-in risk policy with following settings: - Assignments: Include Group1, Exclude Group2 - Conditions: Sign-in risk of Low & above - Access: Allow access, Require MFA You need to identify how the policy affects User1 and User2 What occurs when each user signs in from an anonymous IP address? To answer, select appropriate options in answer area.
User1: Can sign in without MFA User2: Blocked
You have a MS 365 E5 subscription that is associated to a MS Azure AD tenant named contoso.com. You use Active Directory Federation Services (AD FS) to federate on-premises AD and the tenant. Azure AD Connect has the following settings; - Source Anchor: objectGUID - Password Hash Synch: Disabled - Password Writeback: Disabled - Directory extension attribute sync: Disabled - Azure AD app and attribute filtering: Disabled - Exchange hybrid deployment: Disabled - User writeback: Disabled You need to ensure you can use leaked credentials detection in Azure AD Identity Protection. Solution: You modify the Password Hash Synchronization settings. Does that meet the goal?
Yes. https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity
Your company plans to merge with another company. A user named Debra Berger is an executive at your company. You need to provide Debra Berger with all the email content of a user named Alex Wilber that contains the word merger. To complete this task, sign in to the Microsoft 365 portal.
You need to run a content search, then export the results of the search. 1. Go to MS 365 Compliance Admin Center 2. Navigate to Content Search under the Solutions section in the left navigation pane. 3. Click on + New Search to create new search 4. In Keywords box, type 'merger' 5. In Locations section, select Specific locations, click Modify link 6. Click Choose users, groups, or teams link 7. Type Alex Wilber in search field then select his account from search results 8. Click Choose button to add user, click Done 9. Click Save to close locations pane 10. Click SAVE & RUN 11. Next step is export results. Select search, under Export Results to Computer, click Start export 12. On Export Search Results page, under Output Options, select All Items 13. Under Export Exchange content as, select One PST File for each mailbox 14. Click on Start Export. When finished, there is an option to download exported PST file.